Last Updated: 10th November 2020
This Data Protection Addendum (“DPA”)is incorporated into and made part of the Terms of Service (“Terms”) and governs the Processing of Personal Data by LambdaTest as a Processor on behalf of Customer or Customer Affiliates, as applicable. Unless otherwise defined in this DPA, capitalized terms shall have the same meaning as given to them in the Terms.
“Appropriate Technical and Organizational Measures”, “Personal Data”, “Personal Data Breach”, “Process / Processing”, “Controller”, “Processor”, “Subprocessor” and “Data Subject” shall have the same meaning as ascribed to them under the GDPR provided that “Personal Data” as used herein only applies to Personal Data for which LambdaTest is a Processor.
“Data Protection Legislation” means applicable laws and regulations relating to the privacy and security of Personal Information, including but not limited to GDPR, as such laws shall be amended, revised or replaced from time to time.
“Data Protection Officer” means a data protection officer appointed pursuant to Data Protection Legislation.
“Delete” means removing or obliterating Personal Data such that it cannot be recovered or reconstructed.
“GDPR” means General Data Protection Regulation (EU) of 2016/679
“Restricted Transfer” means any transfer of Personal Data to countries outside of the European Economic Area (EEA) which are not subject to an adequacy decision by the European Commission, where such transfer would be prohibited by Data Protection Legislation.
“Standard Contractual Clauses” means the contractual clauses dealing with the transfer of Personal Data outside the EEA, which have been approved by (i) the European Commission under the Data Protection Legislation, or (ii) by a competent supervisory authority under Data Protection Legislation.
“Security Features” means any security feature, including any encryption, pseudonymization, key, PIN, password, token or smart card.
a. LambdaTest shall:
b. Each Customer or Permitted User hereby instructs and authorizes LambdaTest (and authorizes LambdaTest to instruct each subprocessor) to Process Personal Data and Account-Related Information for the above purposes including authorizing LambdaTest to transfer such data to any country or territory as reasonably necessary for the provision of LambdaTest Services and consistent with the Terms.
LambdaTest shall take reasonable steps to ensure the reliability of all its employees who have access to Personal Data and Account-Related Information and to ensure that such employees have committed themselves to a binding duty of confidentiality in respect of such Personal Data and Account-Related Information.
a. LambdaTest shall:
b. Customer acknowledges that LambdaTest is under no duty to investigate or ensure the completeness, accuracy or sufficiency of (i) any instructions received from the Customer or (ii) any Account-Related Information or Personal Data.
c. Customer shall:
a. LambdaTest shall, in accordance with requirements under the Data Protection Legislation, implement Appropriate Technical and Organizational Measures to safeguard the Account-Related Information and Personal Data from unauthorized or unlawful Processing, or accidental loss, alteration, disclosure, destruction or damage, and that, having regard to the state of technological development and the cost of implementing any measures.
b. LambdaTest shall, in accordance with Data Protection Laws, make available to the Customer such information in LambdaTest’s possession or control as the Customer may reasonably request with a view to demonstrating LambdaTest’s compliance with the obligations of data processors under Data Protection Laws in relation to its processing of Personal Data.
c. The Customer may exercise its right of audit under Data Protection Laws in relation to Personal Information. Customer acknowledges that doing the following is sufficient for satisfying Customer’s right to an audit:
a. Taking into account the nature of the Processing, LambdaTest Service provides functionality to assist Customer by Appropriate Technical and Organizational Measures, insofar as this is possible, to access, correct, amend, restrict, or delete Personal Data contained in LambdaTest Services to address requests by a Data Subject under the GDPR. To the extent Customer, in its use of LambdaTest Services, is not familiar with LambdaTest Services functionality that may be used for these purposes, LambdaTest will provide Customer with additional Documentation or customer support assistance to educate the Customer on how to take such actions.
b. LambdaTest shall, notify Customer as soon as reasonably practicable if it receives:
c. LambdaTest shall not disclose the Personal Data to any Data Subject or to a third party other than at the request of Customer, as provided for in this DPA, or as required by law in which case LambdaTest shall to the extent permitted by law inform Customer of that legal requirement before Customer discloses the Personal Data to any Data Subject or third party.
d. LambdaTest shall not respond to any request from a Data Subject except on the documented instructions of Customer or an Permitted User or as required by law, in which case LambdaTest shall to the extent permitted by law inform Customer of that legal requirement before LambdaTest respond to the request.
a. LambdaTest shall notify Customer without undue delay upon LambdaTest or any Subprocessor becoming aware of a Personal Data Breach, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform (a) affected Data Subjects, and (b) any other persons or entities required to be recipients of a notification, of the Personal Data Breach.
b. LambdaTest shall use commercially reasonable efforts to cooperate with Customer and take such commercially reasonable steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Prior to or upon termination or expiration of the Terms for any reason, Customer may retrieve Personal Data processed by LambdaTest Services in accordance with the Terms at Customer’s request provided in writing to LambdaTest. LambdaTest shall, as soon as possible, return or delete Personal Data from LambdaTest Services, unless applicable law requires storage of the Personal Data.
a. LambdaTest may transfer and access Personal Data to and from other countries, for provision of LambdaTest Services, where LambdaTest has operations or Subprocessors or as otherwise required by the applicable law.
b. A Restricted Transfer may not be made by LambdaTest (other than transfers to Affiliates and by any agents and Subprocessors for the purposes of performing the LambdaTest Services, and Customer shall use commercially reasonable efforts to obtain explicit consent from relevant Data Subjects in respect of such potential transfers) without the prior written consent of Customer (such consent not to be unreasonably withheld, delayed or conditioned), and if such consent has been obtained (or is unnecessary), such Restricted Transfer may only be made where there are Appropriate Technical and Organisational Measures in place with regard to the rights of Data Subjects (including but not limited to the Standard Contractual Clauses, Privacy Shield, binding corporate rules, or any other model clauses approved by the applicable supervisory authority).
a. Customer authorizes LambdaTest to appoint (and permit each Subprocessor appointed in accordance with this section 10 to appoint) Subprocessors in accordance with this section 10 and any restrictions in the Terms without any prior approval.
b. LambdaTest may continue to use those Subprocessors already engaged by LambdaTest or any LambdaTest Affiliate as at the date of this DPA, subject to LambdaTest in each case as soon as practicable meeting the obligations set out in section 10.d. A list of the categories of Subprocessors appointed by LambdaTest is maintained on our Website at Sub-Processors. If Customer objects to such sub-processing arrangements, then Customer must notify LambdaTest and, if Customer does so confirm, Customer acknowledges that Customer may no longer be able to avail of some or all of the LambdaTest Services.
c. With respect to each Subprocessor, LambdaTest shall,
d. LambdaTest shall remain fully liable to Customer in respect of any failure by the Subprocessor to fulfil its data protection obligations regarding Personal Data.
LambdaTest shall appoint a Data Privacy Officer, if required to do so pursuant to Data Protection Legislation in connection with the performance of the LambdaTest Services and can be reached at firstname.lastname@example.org